With the fools running this sh*tshow, I doubt that anything is unintended. If you’ve signed up for 0bamaDoesn’tCare through the federal exchange, your information is getting passed around to who knows how many third-party sites. I guess it’s not a HIPAA violation when the feds do it:
The Associated Press reports that healthcare.gov–the flagship site of the Affordable Care Act, where millions of Americans have signed up to receive health care–is quietly sending personal health information to a number of third party websites. The information being sent includes one’s zip code, income level, smoking status, pregnancy status and more.
EFF researchers have independently confirmed that healthcare.gov is sending personal health information to at least 14 third party domains, even if the user has enabled Do Not Track. The information is sent via the referrer header, which contains the URL of the page requesting a third party resource. The referrer header is an essential part of the HTTP protocol, and is sent for every request that is made on the web. The referrer header lets the requested resource know what URL the request came from. This would for example let a website know who else was linking to their pages. In this case however the referrer URL contains personal health information.
The screencap provided by EFF lists a number of advertising and analytics providers. These providers end up getting the referrer string, which your browser sends nearly every time it requests something: a webpage, an image, etc. The referrer will usually be whatever is in your address bar at the moment.
There are two ways you can provide information to a website. With an HTTP PUT request, form information is stuffed into a blob of data which is sent to the server along with the rest of the request. With an HTTP GET request, form information is appended to the URL that is submitted to the server. PUT requests are somewhat more secure than GET requests; they’re not as open to user tampering, and whatever form data they contain won’t get passed around to other services in the referrer, as it’ll be a much simpler-looking URL (such as https://alfter.us/wp/). GET requests end up looking more like this example EFF retrieved from its interactions with healthcare.gov:
Look at what kind of personal information (in bold) is getting sent along with that. In this case, the request to DoubleClick (an advertising outfit owned by Google) included the referring URL. In all, EFF counted 14 domains that receive personally-identifiable information from healthcare.gov, including Google, Twitter, Yahoo, and YouTube. Another excerpt:
Sending such personal information raises significant privacy concerns. A company like Doubleclick, for example, could match up the personal data provided by healthcare.gov with an already extensive trove of information about what you read online and what your buying preferences are to create an extremely detailed profile of exactly who you are and what your interests are. It could do all this based on a tracking cookie that it sets which would be the same across any site you visit. Based on this data, Doubleclick could start showing you smoking ads or infer your risk of cancer based on where you live, how old you are and your status as a smoker.1 Doubleclick might start to show you ads related to pregnancy, which could have embarrassing and potentially dangerous consequences such as when Target notified a woman’s family that she was pregnant before she even told them.
You could ask why healthcare.gov is using third-party analytics and advertising. You could ask why they’re passing sensitive information around in HTTP GET requests. (Considering the botched rollout of “404Care,” that they’d make rookie mistakes like these shouldn’t be too surprising.) The better question to ask, though, is this: why on God’s green earth did anybody ever think this would ever turn out any differently? 0bamaDoesn’tCare was a solution in search of a problem, and a pretty piss-poor solution at that.